Dear Clinton Team: We Noticed You Might Need Some Email Security Tips

There is probably no one more acutely aware of the importance of good cybersecurity right now than Hillary Clinton’s campaign chairman John Podesta, whose emails have been laid bare by Wikileaks, are being mined for news by journalists (including at The Intercept), and are available for anyone with internet access to read.

So as a public service to Podesta and everyone else on Clinton’s staff, here are some email security tips that could have saved you from getting hacked, and might help you in the future.

Use a strong password

There’s a method for coming up with passwords that are mathematically unfeasible for anyone to ever guess by brute force, but that are still possible for you to memorize. I’ve written about it before, in detail, including an explanation of the math behind it.

But in short: You start with a long list of words and then randomly select one (by rolling dice), then another, and so on, until you end up with something like: “slinging gusty bunny chill gift.” Using this method, called Diceware, there is a one in 28 quintillion (that is, 28 with eighteen zeros at the end) chance of guessing this exact password.

For online services that prevent attackers from making very many guesses — including Gmail — a five-word Diceware password is much stronger than you’ll ever need. To make it super easy, use this wordlist from the Electronic Frontier Foundation.

Do not use a weak password

So if that’s a strong password, what does a weak password look like? “Runner4567.”

The same day that Wikileaks published Podesta’s email, his Twitter account got hacked as well. How do you think that happened? I have a guess: He reused a password that was exposed in his email, and someone tried it on his Twitter account.

Even if you use a strong password, it quickly becomes worthless if you use it everywhere. The average person has accounts on dozens of websites. For those who reuse passwords, all it takes is for any one of those sites to get hacked and your password to get compromised, and the hacker can gain access to your accounts on all of them.

You can avoid this by using different strong passwords for every account. The only way that this is possible is by using a password manager, a program that remembers all your passwords for you (in an encrypted database) so you don’t have to. You should secure your password manager with an especially strong password. I recommend a seven-word Diceware passphrase.

There are many password managers to choose from: KeePassX, LastPass, 1Password, and many more. Shop around for whichever one fits your organization the best. It doesn’t so much matter which you use, so long as you use strong, unique passwords for each account. Password managers also help you generate secure random passwords.